This document describes how to authenticate to Google Cloud from the on-premises or any cloud edition of ABAP SDK for Google Cloud.
Applications developed using the ABAP SDK for Google Cloud require authentication to connect to Google Cloud APIs. The SDK enables the usage of Google Cloud recommended best practices for authentication.
For authentication and authorization to access Google Cloud APIs, the SDK mainly uses tokens. In addition, the SDK also supports API keys to authenticate to Google Cloud APIs that use API keys.
Depending on the Google Cloud APIs that you need to access, the environment where your SAP system is hosted, and the security requirements of your SAP system, you can choose an appropriate authentication type. The following table summarizes supported authentication types based on the hosting location of your SAP system:
SAP system location | Authentication type | Instructions |
---|---|---|
SAP RISE, regardless of where the servers are hosted | JSON Web Token (JWT) | Authenticate using JSON Web Tokens (JWT) |
SAP system hosted on Compute Engine VM | Access tokens | Authenticate using access tokens |
SAP system hosted outside Google Cloud | JSON Web Token (JWT) | Authenticate using JSON Web Tokens (JWT) |
Access tokens | Authenticate using tokens through Workload Identity Federation |
Authentication to Google Cloud APIs using API keys
Only a few Google Cloud APIs use API keys for authentication, for example, Google Maps Platform. Review the authentication documentation for the service or API that you want to use to determine whether it supports API keys. Regardless of where your SAP system is hosted, you can use API keys for authentication as long as the API that you want to use supports API keys.
To authenticate to Google Cloud API using API keys, use one of the following methods:
Authentication to Google Workspace APIs using OAuth 2.0 client credentials
To access Google Workspace APIs, you can use OAuth 2.0 client credentials. OAuth 2.0 client credentials let you retrieve a token in the context of an end user, such as a token required to access Google Sheets. Regardless of where your SAP system is hosted, you can use OAuth 2.0 client credentials for authentication to Google Workspace APIs as long as the system supports OAuth 2.0.
For information about setting up authentication to Google Workspace APIs, see Authenticate to Google Workspace APIs using OAuth 2.0 client credentials.
Authenticate using access tokens
This section shows how to set up authentication to access Google Cloud APIs using tokens when your SAP system is hosted on a Compute Engine VM instance.
In the Google Cloud console, enable the IAM Service Account Credentials API for your Google Cloud project that requires authentication. Along with the IAM Service Account Credentials API, you need to enable any other supported APIs that you plan to access using the SDK.
For information about how to enable Google Cloud APIs, see Enabling APIs.
In the Google Cloud console, create an IAM service account for the host VM instance.
For information about how to create a service account, see Create a service account.
Grant the
Service Account Token Creator
role to the service account. For instructions, see Grant a single role.Attach the service account to the VM instance where your SAP workload is running. Also, set the VM's access scope to
cloud-platform
.- If you specify the service account by using the Google Cloud console, then
the VM's access scope automatically defaults to the
cloud-platform
scope. If you specify the service account by using the Google Cloud CLI or the Compute Engine API, then you need to set the API access scope to
Allow full access to all Cloud APIs
.For instructions, see Create a VM and attach the service account.
After updating the scope, restart the VM. If you have multiple VM instances for the same SAP installation, then you must complete this step on all those VM instances.
- If you specify the service account by using the Google Cloud console, then
the VM's access scope automatically defaults to the
In the Google Cloud console, create a dedicated IAM service account to access Google Cloud APIs.
For instructions, see Create a service account.
Grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see IAM basic and predefined roles reference.
If you created the service account in a different project than the project that contains the Google Cloud APIs, then you must perform additional steps for the service account setup. For more information, see Set up service accounts in a cross-project environment.
In the SAP system, configure the client key:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. For example, TEST_PUBSUB
.Google Cloud Service Account Name Specify the name of the service account to which you have granted permissions to access Google Cloud APIs. For example,
sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com
.If the host VM of your SAP system that contains the SDK is in a different project than the one with the Google Cloud APIs enabled, then specify the service account which is used for accessing Google Cloud APIs. For more information, see Set up service accounts in a cross-project environment.
Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform
.Google Cloud Project Identifier Specify the ID of the Google Cloud project that contains your target APIs. Command name Leave this field blank. Authorization Class Specify the authorization class, /GOOG/CL_AUTH_GOOGLE
.Token Caching The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.
We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
Token Refresh Seconds The amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500
.Authorization Parameter 1 Leave this field blank. Authorization Parameter 2 Leave this field blank. Save the new entry.
In the SAP system, create new RFC destinations for the APIs that you plan to consume using the ABAP SDK for Google Cloud.
For information about creating RFC destinations, see RFC destinations.
In the SAP system, configure the service mapping table for IAM API, and other APIs that you plan to consume using the ABAP SDK for Google Cloud.
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.
Click New Entries.
Specify RFC destinations for IAM API and other APIs, for example,
Pub/Sub API v1
.Name Service Name RFC Destination Google Cloud Key Name iamcredentials.googleapis.com
ZGOOG_IAMCREDENTIALS
Google Cloud Key Name pubsub:v1
ZGOOG_PUBSUB_V1
Save the new entry.
In the SAP system, validate the authentication configuration. For more information, see Validate authentication configuration.
Set up service accounts in a cross-project environment
The host VM of your SAP system, which contains the SDK, can be in a different Google Cloud project than the one with the Google Cloud APIs enabled. In this case, you must set up service accounts with the required IAM roles so that the SDK can access the APIs from the different project.
The following table shows an example of service account setup for cross-project API access.
Environment | SAP host VM | Google Cloud APIs |
---|---|---|
Google Cloud project | project-sap-host |
project-google-apis |
Service account assigned to the SAP host VM | sa-sap-host@project-sap-host.iam.gserviceaccount.com |
N/A |
Service account for accessing Google Cloud APIs | sa-google-apis@project-sap-host.iam.gserviceaccount.com |
N/A |
IAM roles for the service account | In the project project-sap-host , grant the service account
sa-sap-host@project-sap-host.iam.gserviceaccount.com
Service Account Token Creator role. |
In the project project-google-apis , add the service account
sa-google-apis@project-sap-host.iam.gserviceaccount.com
as a principle and grant the service account
appropriate roles to connect to the Google Cloud APIs. |
To set up the service accounts, perform the following steps:
- In the Google Cloud project that contains your SAP host VM,
grant the service account of the SAP host VM, the
Service Account Token Creator
role. For more information about the steps, see Grant a single role. - In the Google Cloud project that contains your SAP host VM, create a service account. Note the name of the service account. You specify this name when you add the service account as a principle to the other project that contains the Google Cloud APIs.
In the other project that contains the Google Cloud APIs, add the service account as a principle and grant appropriate roles to connect to the Google Cloud APIs.To add a service account to the Google Cloud project that contains the Google Cloud APIs, perform the following steps:
In the Google Cloud console, go to the IAM Permissions page:
Confirm that the name of the project that contains the target Google Cloud APIs is displayed near the top of the page. For example:
Permissions for project "
PROJECT_NAME
"If it is not, then switch projects.
On the IAM page, click
Grant access. The Grant access to "PROJECT_NAME
" dialog opens.In the New principals field, specify the name of the service account.
In the Select a role field, specify a relevant role. For example, for Pub/Sub, to modify topics and subscriptions, and access to publish and consume messages, you can specify the role Pub/Sub Editor (
roles/pubsub.editor
).For more information about API specific predefined roles, see IAM basic and predefined roles reference.
Add additional roles as required for your API usage. Implement Google recommended best practices by applying the principle of least privilege.
Click Save. The service account appears in the list of project principals on the IAM page.
Authenticate using JSON Web Tokens (JWT)
This section shows how to set up authentication to access Google Cloud APIs using a token when your SAP system is running on a host that is on premises, on another cloud provider, in another environment outside of Google Cloud, or managed by SAP through the SAP RISE program.
For authentication to Google Cloud, you use Google Cloud signed JSON Web Tokens (JWT) to obtain access tokens from Google Cloud.
The high-level configuration steps are as follows:
- Create a service account for JWT based token retrieval.
- Configure security settings for Google Cloud on the SAP host.
- Enable the Google Cloud APIs.
- Create another service account for authorization to access Google Cloud APIs.
- Create SAP configurations.
- Validate authentication configuration.
Create a service account for JWT based token retrieval
For JWT based authentication to Google Cloud, ABAP SDK for Google Cloud needs an IAM service account.
Create a service account
In the Google Cloud console, create an IAM service account for JWT based token retrieval, and grant the service account the Service Account Token Creator.
For information about how to create a service account, see Create a service account.
Create a service account key
You need to create a P12 service account key for the service account used for JWT based token retrieval.
To create a service account key, perform the following steps:
In the Google Cloud console, go to the IAM & Admin Service accounts page.
Select your Google Cloud project.
Click the email address of the service account that you created for JWT based token retrieval in the previous section, Create a service account.
Under the service account name, click the Keys tab.
Click the Add Key drop-down menu, and then select Create new key to create a service account key.
Accept P12 as the key type and click Create.
A private key is downloaded to your computer.
Make a note of the password for the private key file,
notasecret
.Provide the private key and password to your SAP administrator to import the private key into
STRUST
, as described in Import the service account key into STRUST.
Specify the service account for JWT signing
If you created the service account for JWT signing in a different project than the project that contains the Google Cloud APIs, then you need to specify the service account on the SAP host system.
If you created the service account in the same project that contains the Google Cloud APIs, then you can skip this step.
To specify the service account for JWT signing, perform the following steps:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Parameters.
Click New Entries.
In the Parameter Name field, enter
JWT_SERVC_ACCT
. The parameter description is automatically populated.In the Parameter Value field, enter the name of the service account.
Save the new entry.
Configure security settings for Google Cloud on the SAP host system
To enable JWT signing for the service account that you created for JWT based token retrieval, you need to configure security settings for Google Cloud on the SAP host system.
Create a new Secure Store and Forward (SSF) Application
Each SSFAPPLIC
entry lets you save a single service account key.
To save service account keys for multiple projects, you need to create
multiple SSFAPPLIC
entries by following the same steps.
To create a new entry in the table SSFAPPLIC
, perform the following steps:
- In the SAP GUI, enter transaction code
SE16
. - In the Table Name field, enter
SSFAPPLIC
, and create a new entry. - In the APPLIC field, enter a name for your SSF application, such as
ZG_JWT
. - Except the B_INCCERTS, B_DETACHED, B_ASKPWD, and B_DISTRIB fields, select all other fields.
- In the DESCRIPT field, enter
JWT Signature for GCP
. Save the new entry.
This entry becomes a new node in transaction
STRUST
, where you import the service account key.
Enable the STRUST
node
Use transaction SSFA
to enable the STRUST
node for JWT Signature for GCP
.
To enable the STRUST
node, perform the following steps:
- In the SAP GUI, enter transaction code
SSFA
. - Click New Entries.
In the SSF Application drop-down list, select
JWT Signature for GCP
. This is the new entry that you created in the tableSSFAPPLIC
.The application specific SSF parameters are automatically populated.
Save the new entry.
A new node
SSF JWT Signature for GCP
is enabled in transactionSTRUST
.
Import the service account key into STRUST
To import the service account key into STRUST
, perform the following steps:
In the SAP GUI, enter transaction code
STRUST
.Verify the new node in transaction
STRUST
isSSF JWT Signature for GCP
.Import the private key file:
- Select PSE > Import from the menu bar.
- Depending on your SAP system, select the appropriate private key:
- SAP S/4HANA
- Select the P12 private key.
- Enter the file password
notasecret
, and then click OK.
- SAP ECC
- Select the PSE private key. You need to convert the P12 private key that you downloaded earlier into a PSE private key. For more information about converting a P12 key into a PSE key, see Convert P12 key into PSE key.
- Enter the file PIN that you created during the private key conversion from P12 key to PSE key, and then click OK.
- SAP S/4HANA
Select PSE > Save as.
Select SSF Application, and in the corresponding input field, select the new SSF Application node that you created in Create a new Secure Store and Forward (SSF) Application.
Save the new entry.
The service key is attached to the SSF application node
SSF JWT Signature for GCP
.
Convert the P12 private key into PSE key
If your SAP system is SAP NetWeaver 7.0x (SAP ECC), then you need to convert the P12 key into a PSE key.
To convert the P12 key into a PSE key, perform the following steps:
Go to the path:
/usr/sap/SID/SYS/exe/run/
Replace SID with the SAP system ID.
Run the following command after replacing the placeholders:
sapgenpse import_p12 -p PSE_PATH_AND_FILE_NAME P12_PATH_AND_FILE_NAME.p12
Replace the following:
PSE_PATH_AND_FILE_NAME
: specify the path and filename for the PSE fileP12_PATH_AND_FILE_NAME
: specify the path and filename for the P12 key file
Enter the password of P12 private key file,
notasecret
.Create a new PIN for the PSE private key and re-enter your PIN.
Make a note of the PIN, you need to provide this PIN when importing the PSE private key file into
STRUST
.
For information from SAP about about how to convert a P12 key into a PSE key, see:
Enable the Google Cloud APIs
In the Google Cloud console, enable theIAM Service Account Credentials API for your Google Cloud project that requires authentication. Along with the IAM Service Account Credentials API, you need to enable any other supported APIs that you plan to access using the SDK.
For information about how to enable Google Cloud APIs, see Enabling APIs.
Create a service account for authorization to access Google Cloud APIs
For authentication and authorization to access Google Cloud APIs, the ABAP SDK for Google Cloud needs an IAM service account.
Create a service account
In the Google Cloud console, create an IAM service account. This service account must be a principal in the Google Cloud project that contains the Google Cloud APIs that you plan to consume using the SDK. If you create the service account in the same project that contains the Google Cloud APIs, then the service account is added as a principal to the project automatically.
If you create the service account in a project other than the project where the Google Cloud APIs are enabled, then you need to add the service account to that project in an additional step.
In the Google Cloud console, create an IAM service account for authentication and authorization to access Google Cloud APIs.
For information about how to create a service account, see Create a service account.
In the Google Cloud console, grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see IAM basic and predefined roles reference.
If you created the service account in a different project than the project that contains the Google Cloud APIs that you plan to consume using the SDK, then note the name of the service account. You specify the name when you add the service account to that project. For more information, see Add the service account to the Google Cloud project.
Add the service account to the Google Cloud project
If you created the service account for ABAP SDK for Google Cloud in a project other than the project that contains the Google Cloud APIs that you plan to consume using the SDK, then you need to add the service account to the Google Cloud project that contains the Google Cloud APIs.
If you created the service account in the same project that contains the Google Cloud APIs, then you can skip this step.
To add an existing service account to the Google Cloud project that contains the Google Cloud APIs, perform the following steps:
In the Google Cloud console, go to the IAM Permissions page:
Confirm that the name of the project that contains the target Google Cloud APIs is displayed near the top of the page. For example:
Permissions for project "
PROJECT_NAME
"If it is not, then switch projects.
On the IAM page, click
Grant access. The Grant access to "PROJECT_NAME
" dialog opens.In the Grant access to "
PROJECT_NAME
" dialog, perform the following steps:- In the New principals field, specify the name of the service account.
In the Select a role field, specify a relevant role. For example, for Pub/Sub, to modify topics and subscriptions, and access to publish and consume messages, you can specify the role Pub/Sub Editor (
roles/pubsub.editor
).For more details about API specific predefined roles, see IAM basic and predefined roles reference.
Add additional roles as required for your API usage. Implement Google recommended best practices by applying the principle of least privilege.
Click Save. The service account appears in the list of project principals on the IAM page.
The service account can now be used to access Google Cloud APIs in this project.
Set up HTTPS connection
The SAP application server is required to connect to Google Cloud APIs through HTTPS.
On the SAP host, confirm that firewall rules or proxies are configured to allow egress traffic from the HTTPS port to the required Google Cloud APIs.
Specifically, your SAP system must be able to access the following API endpoints:
https://iamcredentials.googleapis.com
- API endpoints for the APIs that you want to consume using the SDK.
Create SAP configurations
For JWT based authentication, create the required SAP configurations.
Specify access settings in the client key table
To specify the access settings, perform the following steps:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. Google Cloud Service Account Name Specify the name of the service account, in email address format, that was created for ABAP SDK for Google Cloud in the step Create a service account. For example:
sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com
.Google Cloud Scope Specify the access scope, https://www.googleapis.com/auth/cloud-platform
.Project ID Specify the ID of the Google Cloud project that contains your target APIs. Command name Leave this field blank. Authorization Class Specify the authorization class, /GOOG/CL_AUTH_JWT
.Authorization Field Leave this field blank. Token Refresh Seconds Leave this field blank. Authorization Parameter 1 Specify the name of the SSF application that you created in the section Create a new Secure Store and Forward (SSF) Application. Save the new entry.
Create new RFC destinations
Create RFC destinations for IAM API and other APIs that you plan to consume using the ABAP SDK for Google Cloud, for example, Pub/Sub API v1.
RFC destination name | Notes |
---|---|
ZGOOG_IAMCREDENTIALS |
This RFC destination targets the IAM API . |
ZGOOG_OAUTH2_TOKEN |
This RFC destination targets Google Cloud endpoint for token based authentication. |
ZGOOG_PUBSUB_V1 |
This RFC destination targets the Pub/Sub API. |
For information about creating RFC destinations, see RFC destinations.
Specify RFC destinations in the service mapping table
In the service mapping table, specify the RFC destinations for IAM API and other APIs that you plan to consume using the ABAP SDK for Google Cloud.
To specify the RFC destinations, perform the following steps:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.
Click New Entries.
Specify RFC destinations for IAM API and other APIs. For example:
Name Service Name RFC Destination Google Cloud Key Name iamcredentials:v1
ZGOOG_IAMCREDENTIALS
Google Cloud Key Name googleapis.com/oauth2
ZGOOG_OAUTH2_TOKEN
Google Cloud Key Name pubsub.googleapis.com
ZGOOG_PUBSUB_V1
Save the new entry.
Authenticate using tokens through Workload Identity Federation
With Workload Identity Federation, you can grant on-premises or multicloud SAP workloads access to Google Cloud resources without using a service account key. You can use Workload Identity Federation with Amazon Web Services (AWS) or with any identity provider (IdP) that supports OpenID Connect (OIDC), such as Microsoft Azure or SAML 2.0.
Workload Identity Federation follows the OAuth 2.0 token exchange specification. You provide a credential from your IdP to the Security Token Service, which verifies the identity on the credential, and then returns a federated token in exchange. You can use this token to impersonate a service account and obtain a short-lived OAuth 2.0 access token. The short-lived access token lets you call any Google Cloud APIs that the service account has access to.
For authentication using tokens through Workload Identity Federation, the high-level configuration steps are as follows:
- Prepare your external IdP.
- In Google Cloud, configure Workload Identity Federation.
- In Google Cloud, create a service account.
- In Google Cloud, allow the external workload to impersonate the service account.
- In ABAP SDK for Google Cloud, implement ABAP code to retrieve security tokens from your IdP.
- In ABAP SDK for Google Cloud, configure client key.
Not all Google Cloud products support Workload Identity Federation. Before setting up authentication using Workload Identity Federation, review the list of supported products and limitations. For more information, see Workforce identity federation: supported products and limitations.
Prepare your external IdP
You need to prepare your IdP so that your SAP workload can obtain credentials that can be exchanged for a Google OAuth 2.0 security token.
To prepare your external IdP, perform the steps depending on your IdP:
- If you're using AWS or Azure as your IdP, then follow the instructions to prepare your external IdP.
- If you're using other IdPs, then follow the instructions to prepare your external IdP.
Configure Workload Identity Federation
In Google Cloud, configure workload identity pool and providers.
You configure an identity pool, which is an entity that lets you manage external identities. You also configure a workload identity pool provider, which is an entity that describes a relationship between Google Cloud and your IdP.
To configure Workload Identity Federation, perform the steps depending on your external IdP:
- If you're using AWS or Azure as your IdP, then follow the instructions to create the workload identity pool and provider.
- If you're using other IdPs, then follow the instructions to create the workload identity pool and provider.
Make a note of the following:
- Project number: the project number of the Google Cloud project where you created the workload identity pool.
- Pool ID: a unique ID that identifies the workload identity pool.
- Provider ID: an ID that identifies the workload identity pool provider.
You need them for the ABAP SDK client key configuration.
Create a service account
In Google Cloud console, create a dedicated IAM service account to access Google Cloud APIs. This service account must be a principal in the Google Cloud project that contains the Google Cloud APIs that you plan to consume using the SDK.
In the Google Cloud console, enable the IAM Service Account Credentials API, Security Token Service API, and any other supported APIs that you plan to access using the SDK.
For information about how to enable Google Cloud APIs, see Enabling APIs.
Create a service account that represents the workload.
Grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see IAM basic and predefined roles reference.
Allow the external workload to impersonate the service account
To allow the external workload to impersonate the service account, perform the steps depending on your external IdP:
- If you're using AWS or Azure as your IdP, then follow the instructions to allow the external workload to impersonate the service account.
- If you're using other IdPs, then follow the instructions to allow the external workload to impersonate the service account.
Implement ABAP code to retrieve security tokens from your IdP
ABAP SDK for Google Cloud provides an abstract class /GOOG/CL_AUTH_WIF_BASE
,
which has the logic to retrieve OAuth 2.0 security tokens from
the Security Token Service and OAuth 2.0 access tokens from the
IAM Service Account Credentials API.
As a developer, you need to create a class in your namespace that inherits
from the abstract class /GOOG/CL_AUTH_WIF_BASE
. This class must implement the
method GET_EXT_IDP_TOKEN
and write the logic to get the security token from
your IdP and populate the following fields:
CV_TOKEN
: the token retrieved from your IdP in thestring
format.CV_TOKEN_TYPE
: the type of the security token retrieved from your IdP. The supported token types are:urn:ietf:params:oauth:token-type:jwt
urn:ietf:params:oauth:token-type:id_token
urn:ietf:params:aws:token-type:aws4_request
urn:ietf:params:oauth:token-type:access_token
urn:ietf:params:oauth:token-type:saml2
The values populated in CV_TOKEN
and CV_TOKEN_TYPE
are then used by methods of
the abstract class /GOOG/CL_AUTH_WIF_BASE
to exchange and retrieve the
final OAuth 2.0 token, which is used in the API calls.
The following example shows the sample implementations of method
GET_EXT_IDP_TOKEN
for
other Cloud providers such as AWS and Azure.
AWS
Azure
Configure client key
-
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG. - Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
- Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. Google Cloud Service Account Name Leave this field blank. Google Cloud Scope Leave this field blank. Google Cloud Project Identifier Specify the ID of the Google Cloud project where you created the workload identity pool. Command name Leave this field blank. Authorization Class Specify the authentication class, which contains the implementation of the method GET_EXT_IDP_TOKEN
.Token Caching Leave this field blank. Token Refresh Seconds Leave this field blank. Authorization Parameter 1 Specify the workload identity pool ID. Authorization Parameter 2 Specify the workload identity provider ID. Save the entry.
Authenticate to Google Workspace APIs using OAuth 2.0 client credentials
To authenticate to Google Workspace APIs using OAuth 2.0 client credentials, you need to complete the following configurations in your Google Cloud project and your SAP landscape:
Google Cloud console configurations
SAP landscape configurations
The ABAP SDK for Google Cloud is shipped with the following core components, which are required for the OAuth 2.0 client credentials based authentication:
- OAuth 2.0 service provider type
/GOOG/ABAP_SDK
that you specify for your OAuth 2.0 client profile configuration. - Authentication class
/GOOG/CL_OAUTH_GOOGLE
that you specify for the client key configuration. - SAP Business Add-Ins (BAdIs) implementations that pre-populate Google specific OAuth parameters such as endpoints and required parameter settings.
However, you also need to complete the following configurations in your SAP landscape:
- Create OAuth 2.0 client profile
- Configure OAuth 2.0 client
- Configure client key
- Request OAuth 2.0 access tokens
Create OAuth 2.0 consent
The OAuth consent screen is a prompt that tells users who's requesting access to their data and what kind of data users are allowing your app to access.
In the Google Cloud console, go to Menu> APIs & Services > OAuth consent screen.
Select the External user type for your app, and click Create.
To complete the app registration form, specify the following details:
- App name: the name of the application that requires consent.
- User support email: a support email for users to contact you with questions about their consent.
- Authorized domains: the domains to be used during OAuth consent.
- Developer contact information: the email addresses for Google to notify you about any changes to your project.
Click Save and Continue.
Create OAuth 2.0 client ID credentials
To authenticate as an end user and access user data in your app, you need to create one or more OAuth 2.0 Client IDs. A client ID is used to identify a single app to Google's OAuth servers.
In the Google Cloud console, go to Menu > APIs & Services > Credentials.
Click Create Credentials > OAuth client ID.
In the Application type field, select Web application.
In the Name field, type a name for the credentials. This name is shown only in the Google Cloud console.
Under Authorized redirect URIs, click Add URI. Then, enter your SAP redirection URI to which the OAuth 2.0 server can send responses.
You can get the SAP redirection URI from the OAuth 2.0 settings in your
SICF
transaction.Click Create.
Make a note of the Client ID and the Client secret.
Create OAuth 2.0 client profile
As an ABAP developer, you create an OAuth client profile with the OAuth 2.0 scopes that are required for your business requirements. For information about the OAuth 2.0 scopes for the Google APIs, see OAuth 2.0 Scopes for Google APIs.
A sample OAuth client profile /GOOG/OAUTH_PROFILE_SAMPLE
is
shipped with the SDK, with the OAuth 2.0 scopes configured for Google Sheets API.
- In the SAP GUI, enter transaction code
SE80
. - From the drop down list, select Development Object.
- To create a development object in the custom namespace, select Create > Others > OAuth 2.0 Client Profile in the context menu of the object name.
Enter the following details:
- In the Client Profile field, enter a name of the client profile.
- In the Type field, select
/GOOG/ABAP_SDK
. This is the default provider type shipped with the ABAP SDK for Google Cloud.
Add the necessary scopes to your client profile. For information about the OAuth 2.0 scopes, see OAuth 2.0 Scopes for Google APIs.
Save the client profile to your development package. Include the client profile in a transport request, which can be transported to higher environments.
Configure OAuth 2.0 client
As an SAP administrator, you associate the OAuth client profile with the Google Cloud client credentials.
This is a onetime activity that you need to perform on every SAP system in your SAP landscape (Development, Testing, and Production).
- In the SAP GUI, enter transaction code
OA2C_CONFIG
. The SAP login page opens in your default browser. - Log in with your SAP credentials.
- To create an OAuth 2.0 client, click Create.
- In the Create a new OAuth 2.0 client dialog box:
- Select the OAuth 2.0 client profile that you created earlier in Create OAuth 2.0 client profile in your SAP system.
- Enter a configuration name.
- Enter the OAuth 2.0 Client ID from Google Cloud credentials that you created earlier in Create OAuth 2.0 client ID credentials.
- Click OK.
- On the Administration tab, in the General Setting section, enter the client secret from the Google Cloud credentials that you created earlier in Create OAuth 2.0 client ID credentials.
If you are using a proxy server to route the outbound HTTP/HTTPS traffic from your SAP system, then you need to maintain the following proxy host details in the Access Settings section:
- Proxy host
- Proxy port
- Proxy user
- Proxy password
Click Save.
Configure client key
-
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG. - Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
- Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. Google Cloud Service Account Name Leave this field blank. Google Cloud Scope Leave this field blank. Google Cloud Project Identifier Specify the ID of the Google Cloud project that contains your target APIs. Command name Leave this field blank. Authorization Class Specify the authentication class, /GOOG/CL_OAUTH_GOOGLE
.Token Caching Leave this field blank. Token Refresh Seconds Leave this field blank. Authorization Parameter 1 Specify the name of the OAuth client profile that you created earlier in Create OAuth 2.0 client profile in your SAP system. Authorization Parameter 2 Specify the configuration name that you defined in the OAuth 2.0 client for a client ID.
This field is mandatory if you have associated a single OAuth client profile with more than one client ID.
For more information, see Multiple Google Cloud projects scenario.
Save the new entry.
Request OAuth 2.0 access tokens
As an end user, you need to request an OAuth 2.0 access token to allow access to the API resources.
This is a onetime activity that each user needs to perform on every SAP system in your SAP landscape (Development, Testing, and Production). In case the OAuth scopes are modified, then users need to repeat this activity.
- In the SAP GUI, enter transaction code
OA2C_GRANT
. The SAP login page opens in your default browser. - Log in with your SAP credentials.
- Select the client ID with which you want to access the APIs.
- Click Request OAuth 2.0 Tokens.
In the Sign in with Google consent screen, enter your Google account credentials and click Allow.
A green indicator in the Access Status column indicates access to the API resources is allowed as per the OAuth 2.0 client profile.
Multiple Google Cloud projects scenario
If you have enabled your Google Cloud APIs in more than one Google Cloud project, then follow this guidance for setting up authentication using OAuth 2.0 client credentials:
- In all the Google Cloud projects:
- In your SAP system:
- Create an OAuth 2.0 client profile.
- Configure OAuth 2.0 client for each client ID.
- If you need to associate a single OAuth client profile
against more than one client ID, then follow these additional instructions:
- Configure OAuth 2.0 client for each client ID. When configuring an OAuth 2.0 client, in the Create a new OAuth 2.0 client dialog box, specify a unique configuration name for each client ID. For more information, see Configure OAuth 2.0 client.
- Configure separate client keys for each OAuth 2.0 client with its own configuration name in Authorization Parameter 2. For more information, see Configure client key.
Authenticate using API key stored in SAP SSF
The high-level configuration steps are as follows:
- Create an API key
- Store the API key in SSF
- Configure client key
- Create new RFC destinations
- Configure service mapping
- Validate authentication configuration
Create an API key
For authentication using API key, you need to create an API key.
An API key string is an encrypted string, for example, AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe
.
ABAP SDK for Google Cloud uses the API key string in HTTP request to securely authenticate
when calling a Google Cloud API.
Google Cloud provides multiple ways to create API keys.
To create API keys using the Google Cloud console, perform the following steps:
In the Google Cloud console, go to the Credentials page:
Click Create Credentials and select API key from the menu.
The API key created dialog displays the API key string. Copy your key string and keep it secure. You need this API key to configure authentication to Google Cloud.
By default, API keys are unrestricted. We recommended that you restrict API keys by selecting the APIs to which this API key can be used. For more information about adding API restrictions, see Add API restrictions.
Store the API key in SSF
The ABAP SDK for Google Cloud provides an option to securely store API keys using the SAP Secure Store and Forward mechanism (SSF).
By using the SSF option, you can store the API Key in an encrypted format
in the table /GOOG/APIKEY_BIN
. When an API is called, the API key would be
retrieved from the table /GOOG/APIKEY_BIN
, decrypted, and appended
to the API endpoint URI.
For security purposes, you cannot view the contents of /GOOG/APIKEY_BIN
using standard tools, transactions such as SE16
, SE16N
, or SE11
.
Prerequisites
For authentication using API key stored in SAP SSF, you must have version 8.5 and above of the SAP Cryptographic Library installed in your SAP system. For more information about SAP Cryptographic Library, see 1848999 - Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB) and 397175 - SAP Cryptographic software - export control.
To verify the version of SAP Cryptographic Library, perform the following steps:
- In the SAP GUI, enter transaction code
STRUST
. - Go to the Environment menu, and then click Display SSF Version.
Set up SSF application
In the table SSFAPPLIC
, create a new SSF application ZG_APK
that encrypts
the API key. ZG_APK
is the default SSF application name.
Alternatively, you can create an SSF application with your preferred name or
use an existing SSF application that has a different name. If you want to use a
different SSF application for encryption, then you need to
configure the SSF application name in Authorization Parameter 1
of the
client key table.
To create a new entry in the table SSFAPPLIC
, perform the following steps:
- In the SAP GUI, enter transaction code
SE16
. - In the Table Name field, enter
SSFAPPLIC
, and then create a new entry. - In the
APPLIC
field, enterZG_APK
. Specify values in the following fields.
Field Value APPLIC ZG_APK
B_TOOLKIT Select the flag. B_FORMAT Select the flag. B_PAB Select the flag. B_PROFID Select the flag. B_PROFILE Select the flag. B_HASHALG Leave this field blank. B_ENCRALG Leave this field blank. B_INCCERTS Leave this field blank. B_DETACHED Leave this field blank. B_ASKPWD Leave this field blank. B_DISTRIB Select the flag. DESCRIPT API Key Encryption for GCP
Save the new entry.
Create SSF parameters
In the SAP GUI, enter transaction code
SM30
.Open the view
VSSFARGS
.For application
ZG_APK
(API Key Encryption for GCP
), create a new entry. The application specific SSF parameters are automatically populated.Save the new entry.
Create a Personal Security Environment (PSE)
In the SAP GUI, enter transaction code
STRUST
.Under node SSF API Key Encryption for GCP, right-click and select Create.
In the Algorithm field, select
RSA
. Leave other fields with system-populated default values.Save the new entry.
Store the API key
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure API Key (Using SSF).
In the Google Key Name, enter the name of the client key configuration.
In the API Key field, enter the API key that you created earlier in Create an API key.
Select Save.
Click Execute to store the API key.
Configure client key
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. For example, DEMO_API_KEY
.Google Cloud Service Account Name Leave this field blank. Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform
.Project ID Specify the ID of the Google Cloud project that contains your target APIs. Command name Leave this field blank. Authorization Class Specify the authorization class, /GOOG/CL_AUTH_API_KEY_SSF
.Token Caching The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.
We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
Token Refresh Seconds Specify the amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500
.Authorization Parameter 1 If the SSF application name is different from ZG_APK
, then specify your SSF application name.Authorization Parameter 2 Leave this field blank. Save the new entry.
Create new RFC destinations
For the APIs that you plan to consume using the ABAP SDK for Google Cloud, create new RFC destinations.
For information about creating RFC destinations, see RFC destinations.
If RFC destinations are not created and configured, the ABAP SDK for Google Cloud functions using the default API endpoints maintained in individual API client stubs.
Configure service mapping
Configure the service mapping table for the APIs that you plan to consume using the ABAP SDK for Google Cloud.
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.
Click New Entries.
Specify RFC destinations for the APIs that you plan to use, for example,
addressvalidation v1
. If you're going to consume other APIs, then specify RFC destinations for those APIs.Name Service Name RFC Destination Google Cloud Key Name addressvalidation:v1
ZGOOG_ADDRVALDN_V1
Save the new entry.
Delete an API key
If an API key is no longer used, then you can delete the API key from your SAP system.
To delete an API key, peRForm the following steps:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure API Key (Using SSF).
In the Google Key Name field, enter the name of the client key configuration.
Select Delete.
Click Execute to delete the API key.
Authenticate using API key stored in Secret Manager
The high-level configuration steps are as follows:
- Create an API key
- Create a secret and store the API key
- Configure client key for Secret Manager access
- Configure client key for the secret
- Create new RFC destinations
- Configure service mapping
- Validate API key retrieval from Secret Manager
- Validate authentication configuration
Create an API key
For authentication using API key, you need to create an API key.
An API key string is an encrypted string, for example, AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe
.
ABAP SDK for Google Cloud uses the API key string in HTTP request to securely authenticate
when calling a Google Cloud API.
Google Cloud provides multiple ways to create API keys.
To create API keys using the Google Cloud console, perform the following steps:
In the Google Cloud console, go to the Credentials page:
Click Create Credentials and select API key from the menu.
The API key created dialog displays the API key string. Copy your key string and keep it secure. You need this API key to configure authentication to Google Cloud.
By default, API keys are unrestricted. We recommended that you restrict API keys by selecting the APIs to which this API key can be used. For more information about adding API restrictions, see Add API restrictions.
Create a secret and store the API key
The ABAP SDK for Google Cloud provides an option to securely store API keys using the Secret Manager service of Google Cloud. For securely storing API key strings, Secret Manager enables you to follow the best practices for securely using API keys.
To create a secret and store the API key, perform the following steps:
Enable the Secret Manager API.
In Google Cloud console, create a secret, and store the API key as the latest version.
For information about how to create a secret, see Create a secret.
The ABAP SDK for Google Cloud by default retrieves only the latest version of a secret.
Configure client key for Secret Manager access
Secret Manager APIs use tokens for authentication. So you need to set up token based authentication to access Secret Manager APIs depending on your SAP deployment.
Use one of the following methods to set up token based authentication to access Secret Manager APIs:
Note down the client key name that you created for Secret Manager access.
Configure client key for the secret
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. For example, DEMO_API_KEY
.Google Cloud Service Account Name Leave this field blank. Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform
.Project ID Specify the ID of the Google Cloud project that contains your target APIs. Command name Leave this field blank. Authorization Class Specify /GOOG/CL_AUTH_API_KEY_SM
.Token Caching The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.
We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
Token Refresh Seconds Specify the amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500
.Authorization Parameter 1 Specify the name of the client key that you've created for Secret Manager access. For example, CLIENT_KEY_SM
.Authorization Parameter 2 Specify the name of the secret, which has the API key stored. For example, TEST_SECRET
.Save the new entry.
Create new RFC destinations
For the APIs that you plan to consume using the ABAP SDK for Google Cloud, create new RFC destinations.
For information about creating RFC destinations, see RFC destinations.
If RFC destinations are not created and configured, the ABAP SDK for Google Cloud functions using the default API endpoints maintained in individual API client stubs.
Configure service mapping
Configure the service mapping table for the APIs that you plan to consume using the ABAP SDK for Google Cloud.
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.
Click New Entries.
Specify RFC destinations for the APIs that you plan to use, for example,
addressvalidation v1
. If you're going to consume other APIs, then specify RFC destinations for those APIs.Name Service Name RFC Destination Google Cloud Key Name addressvalidation:v1
ZGOOG_ADDRVALDN_V1
Save the new entry.
Validate API key retrieval from Secret Manager
To validate API key retrieval from Secret Manager, perform the following steps:
-
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG. - Click ABAP SDK for Google Cloud > Utilities > Validate API key retrieval (Using Secret Manager).
- Specify the client key name.
- Click Execute to check if the API key is retrieved successfully from Secret Manager.
Validate authentication configuration
To validate the authentication configuration, perform the following steps:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Utilities > Validate Authentication Configuration.
Enter the client key name.
Click Execute to check if the overall flow is configured successfully.
A green check in the Result column indicates that all configurations steps are completed successfully.
Get support
If you need help resolving problems with the ABAP SDK for Google Cloud, then do the following:
Refer to the ABAP SDK for Google Cloud troubleshooting guide.
Ask your questions and discuss ABAP SDK for Google Cloud with the community on Cloud Forums.
Collect all available diagnostic information and contact Cloud Customer Care. For information about contacting Customer Care, see Getting support for SAP on Google Cloud.